detection.wiki

ATT&CK coverage › Technique

Compromise Host Software Binary T1554

Adversaries may modify host software binaries to establish persistent access to systems. Software binaries/executables provide a wide range of system commands or services, programs, and libraries. Common software binaries are SSH clients, FTP clients, email clients, web browsers, and many other user or server applications.

Events covered

10 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon1Process creation
Sysmon11FileCreate
Sysmon22DNSEvent (DNS query)
Sysmon23FileDelete (File Delete archived)
Sysmon26FileDeleteDetected (File Delete logged)
Security-Auditing4663An attempt was made to access an object.
Security-Auditing4688A new process has been created.
Security-Auditing4697A service was installed in the system.
Defender-DeviceEvents9007000Defender event (any)
Defender-DeviceProcessEvents9001000Process activity (any)

Authoring guide

Patterns shared across the 8 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (8 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
TargetFilename2in 2"*\\.github\\workflows\\*.yaml", "*/.github/workflows/*.yaml", "*/.github/workflows/*.yml", "*\\.github\\workflows\\shai-hulud-workflow.yaml", "*\\.github\\workflows\\shai-hulud.yaml"
FileName1match 1build_processes
BuildProcessTime1le 1FileEditTime
Hashes1is_not_null 1
QueryName1match 1servicebus.windows.net
Image1match 1HybridConnectionManager
ServiceFileName1match 1HybridConnectionManager
ServiceName1eq 1HybridConnectionManager

Top indicator values (26 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
FileNamematchbuild_processes1
BuildProcessTimeleFileEditTime1
QueryNamematchservicebus.windows.net1
ImagematchHybridConnectionManager1
ServiceNameeqHybridConnectionManager1
ServiceFileNamematchHybridConnectionManager1
TargetFilenamein"*\\.github\\workflows\\*.yaml"1
TargetFilenamein"*\\.github\\workflows\\*.yml"1
TargetFilenamein"*/.github/workflows/*.yaml"1
TargetFilenamein"*/.github/workflows/*.yml"1
TargetFilenamein"*\\.github\\workflows\\shai-hulud-workflow.yml"1
TargetFilenamein"*/.github/workflows/shai-hulud-workflow.yaml"1
TargetFilenamein"*\\.github\\workflows\\shai-hulud-workflow.yaml"1
TargetFilenamein"*\\.github\\workflows\\formatter_*.yaml"1
TargetFilenamein"*/.github/workflows/discussion.yml"1
TargetFilenamein"*/.github/workflows/formatter_*.yaml"1
TargetFilenamein"*/.github/workflows/shai-hulud.yaml"1
TargetFilenamein"*\\.github\\workflows\\discussion.yaml"1
TargetFilenamein"*\\.github\\workflows\\discussion.yml"1
TargetFilenamein"*/.github/workflows/discussion.yaml"1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 2 rules

Splunk 2 rules

Kusto Query Language 4 rules